When you inspect the System event log on your Windows Server 2003 domain controller, it contains one event per day, similar to:
Event ID: 5774
Computer: <Computer Name>
Details: The dynamic registration of the DNS record recordName failed on the following DNS server: DNS server IP address: ServerIPAddress Returned Response Code (RCODE): 0 Returned Status Code: 9505 For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION: Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended.
When a DNS server, that accepts non-secure dynamic updates, registers the IP address of a DNS client that only permits secure dynamic updates, the NETLOGON service reports an error with status 9505 to the DNS server.
NOTE: The update was successful but it is NOT secure.
To resolve this issue, insure that both the _msdcs.domain.suffix and domain.suffix zones are set to only accept secure dynamic updates, or change the Group Policy for the DNS client service so it does not have to use secure dynamic updates (see tip 4968).
To force a client computer to use secure dynamic updates without using group policy:
1. Copy / Paste the following to a UpdateSecurityLevel.reg file:
2. Merge the UpdateSecurityLevel.reg file with the client registry, or run regedit /s UpdateSecurityLevel.reg
3. Restart the client computer.